Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-33678

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable.

Published

2021-07-14T12:15:08.377

Last Modified

2024-11-21T06:09:20.760

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: COMPLETE

Exploitability Score

8.0

Impact Score

7.8

Weaknesses

Type: Primary
CWE-95
Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	netweaver_application_server_abap	75a	Yes
Application	sap	netweaver_application_server_abap	75b	Yes
Application	sap	netweaver_application_server_abap	75c	Yes
Application	sap	netweaver_application_server_abap	75d	Yes
Application	sap	netweaver_application_server_abap	75e	Yes
Application	sap	netweaver_application_server_abap	75f	Yes
Application	sap	netweaver_application_server_abap	700	Yes
Application	sap	netweaver_application_server_abap	701	Yes
Application	sap	netweaver_application_server_abap	702	Yes
Application	sap	netweaver_application_server_abap	710	Yes
Application	sap	netweaver_application_server_abap	711	Yes
Application	sap	netweaver_application_server_abap	730	Yes
Application	sap	netweaver_application_server_abap	731	Yes
Application	sap	netweaver_application_server_abap	740	Yes
Application	sap	netweaver_application_server_abap	750	Yes
Application	sap	netweaver_application_server_abap	751	Yes
Application	sap	netweaver_application_server_abap	752	Yes

References

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit, Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2022/May/42 Exploit, Mailing List, Third Party Advisory ([email protected])
https://launchpad.support.sap.com/#/notes/3048657 Permissions Required ([email protected])
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 Vendor Advisory ([email protected])
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2022/May/42 Exploit, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://launchpad.support.sap.com/#/notes/3048657 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)